Teen exploits three 0-days to hack Chrome, earns $60K from Google

The end of this year’s editions of the Pwn2Own and Pwnium contests has been marked by another Chrome hack, executed by a teenage security researcher that goes by the alias “PinkiePie”, and the successful “pwnage” of Mozilla’s Firefox browser by researchers Willem Pinckaers and Vincenzo Iozzo.

The 17-year-old PinkiePie – who wanted to keep his face and real name secret because his current employer hasn’t sanctioned his participation in the contest – has, by his own admission, been lucky to discover a zero-day vulnerability that allowed him to break out of Chrome’s sandbox early into his research for the contest.

All in all, it took him a week and a half to find this flaw and two other vulnerabilities and write an exploit that would allow him to take control over the targeted computer – an achievement he demonstrated by showing the image of an axe-wielding pink pony on the machine.

The exploit itself did not require any particular action on behalf of a user except for regular web browsing.

Google’s researchers were given the details of the vulnerabilities and the exploit code mere moments after his win, and immediately started to work on securing the browser. According to ars technica, a new version of Chrome with the fix was pushed out less than 24 hours later.

“Congratulations to PinkiePie (aka PwniePie) for a beautiful piece of work to close out the Pwnium competition!” commented Google in an advisory that accompanied the update, confirming the researcher’s success and his win of $60,000.

The Internet giant also praised the full exploit demonstrated by Russian security researcher Sergey Glazunov early on in the contest, dubbing both exploits “works of art” and confirming that they will release details about them to the public once all packages are patched.

Glazunov is a well-known to Google as he is a regular contributor to its bounty program, but PinkiePie has never submitted a vulnerability to the company.

He noted that he had sent his resume to Google last year, asking to be considered for a job at the company and claiming that he could hack Chrome on OS X, but that he never received a reply. There is no doubt that his request will be considered now.

In the meantime, researchers Willem Pinckaers and Vincenzo Iozzo have concentrated their efforts on breaking Firefox, and they exploited a zero-day use-after-free vulnerability that managed to evade Windows’ DEP and ALSR protection.

“We triggered the same vulnerability three times,” they explained. “We used it once to leak some information, then used it again to leak addresses of our data. Then, we used the same vulnerability a third time get code execution.”

In the end, only Apple’s Safari remained untouched, as no one even tried to break it. Charlie Miller, the well-known researchers who has specialized in targeting Apple’s offerings at Pwn2Own, has skipped the contest this year because the rules have been changed.

All in all, Google handed $120,000 in total to the two winners of Pwnium. The team of researchers from French firm VUPEN were clear winners of the Pwn2Own contest, as they cracked both Chrome and IE, and wrote a number of exploits for already patched vulnerabilities. They were rewarded with $60,000.

Pinckaers and Iozzo earned themselves $30,000 for the Firefox hack, as they came in second place.